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Abstract — This paper aims at providing the detail study of the techniques and types of the intrusion detection systems in a 
manner which is more suitable for analytical environment and then covers the performance assessment of various 
network intrusion detection tools. 
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I. INTRODUCTION 

Every hacker in the world is one's neighbor on the Internet, which results in attack defense and detection being 
pervasive both at home and work. Although hundreds of papers have been written on a large variety of methods of 
intrusion detection — from log analysis, to packet analysis, statistics, data mining, and sophisticated computational 
intelligence methods — and even though similar data structures are used by the various types of intrusion analysis, apparently 
little has been published on a methodical mathematical description of how data is manipulated and perceived in network 
intrusion detection from binary network packets to more manageable data structures such as vectors and matrices. 

The systems of detection and prevention of intrusion,IDS and IPS, are among the most recent tools of security. 
According to their features, we can classify them in different kinds, for example, their techniques of detection and 
prevention, their architecture or the range of detection [3]. In spite of their utility, in practice most IDS/IPS experience two 
problems: the important number of false positives and false negatives. The false positives, the false alerts, are generated 
when the IDS/IPS identifies normal activities as intrusions, whereas the false negatives correspond to the attacks or 
intrusions that are not detected, and then no alert is generated [4]. The IDS/IPS inventors try to surmount these limitations by 
developing new algorithms and architectures. 

Therefore, it is important for them to value the improvements brought by these new devices. In the same way, for 
the network and systems administrators, it would be interesting to assess the IDS/IPS to be able to choose the best before 
installing it on their networks or systems, but also to continue to evaluate its efficiency in operational method. Unfortunately, 
many false positives and false negatives persist in the new versions of the IDS/IPS, then, the brought improvements are not 
worthy of the continuous efforts of research and development in the domain of the detection and the prevention of intrusion. 
In general, it is essentially due to the absence of efficient methods of assessment of the security tools, and of the IDS/IPS in 
particular.. 

II. LLNIDS TYPES OF INTRUSION DETECTION 

The new types are explained below, but first some terminology needs to be stated in order to later describe the 
types. An Intrusion Detection System (IDS) is software or an appliance that detects intrusions. A Network Intrusion 
Detection System (NIDS) is an appliance that detects an intrusion on a network. In this research, network means a landline 
network. Local network intrusion detection refers to the instant case of network intrusion detection. Figure 1 illustrates the 
location of a Local Landline Network Intrusion Detection System (LLNIDS) as used in this research.The LLNDS in Figure 1 
is represented by the rounded box in the center labelled "Local NIDS". It is an IDS on a landline between a local network 
and the Internet. The point of view of this research is from inside the LLNIDS. Users on the local network may have other 
ways of accessing the Internet that bypass the LLNIDS, such as wireless and dialup. This research is restricted to the 
LLNIDS as described here. 



63 



Network Intrusion Detection Types and Analysis of their Tools 



Wireless 




•"■»*••■••■*•■■%■.■» 




Internet 



L.O 



; 



Dialup 

Figure 1: A Local Landline NIDS 

Examples of detection which are not Local Landline Network Intrusion Detection (LLNID) include detection on 
the host computer, detection by someone else out on the Internet, or detection by someone out in the world, such as someone 
witnessing a perpetrator bragging in a bar. This research concerns LLNID and the new types described in this paper refer to 
LLNID. A network intrusion in this context means one or more transmissions across the network that involves an intrusion. 
A single Internet transmission is often called a packet. Therefore, using this terminology, the physical manifestation of an 
intrusion on a network is one or more packets, and intrusion detection is the detection of these packets that constitute 
intrusions. In this context, intrusion detection is similar to data mining. Intrusion detection research needs a model of types 
of intrusions and types of intrusion detection that benefits analysis of methods. This research focuses only on LLNID. These 
are the proposed types of intrusions for the special case of local landline network intrusion detection that facilitate intrusion 
detection research analysis in the LLNID context: 

Type 1 Intrusion: An intrusion which can be positively detected in one or more packets in transit on the localnetwork in a 

given time period. 
Type 2 Intrusion: An intrusion for which one or more symptoms (only) can be detected in one or more packets in transit 

on the local network in a given time period. 
Type 3 Intrusion: An intrusion which cannot be detected in packets in transit on the network in a given time period. 

These three types of intrusions are necessary for analytical research in order to indicate and compare kinds of 
intrusions. A positive intrusion is different than only a symptom of an intrusion because immediate action can be taken on 
the first whereas further analysis should be taken on the second. Both of these are different than intrusions which have been 
missed by an LLNIDS. To show that these three types are mutually exclusive and are complete for a given time period, 
consider all of the intrusions for a given time period, such as a 24-hour day. The intrusions which were positively identified 
by the LLNIDS are Typel intrusions. Of the remaining intrusions, the ones for which the LLNIDS found symptoms are 
Type 2. Here the hypothesis is that the LLNIDS can only find an intrusion positively or only one or more symptoms are 
found. No other results can be returned by the LLNIDS. Therefore, the remaining intrusions are Type 3, which are intrusions 
not detected by the LLNIDS. No other types of intrusions in this context are possible. 

Figure 2 is a diagram that illustrates the types of intrusions as described above. An intrusion is either Type 1, Type 
2, Type 3, or it is not an intrusion. Those were the types of intrusions. Next are the types of intrusion detection. 




Figure. 2. Types of Intrusions for LLNIDS 

There are three types of network intrusion detection that correspond to the three types of intrusions in the LLNID context: 

• Type 1 Network Intrusion Detection: A Type 1 Intrusion is detected in a given time period. 

• Type 2 Network Intrusion Detection: One or more symptoms (only) of a Type 2 Intrusion are detected in a given 
time period. 

• Type 3 Network Intrusion Detection: No intrusion is detected in a given time period. 

Admittedly, Type 3 is not a detection but the lack of detection. It is included because these three types of detection 
correspond to the three types of intrusions and Type 3 Intrusion Detection facilitates analysis of intrusion detection methods. 
Examples of Type 3 Intrusion Detection are nothing was detected; no attempt was made at detection; an intrusion occurred 
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but was not detected by the LLNIDS; and, no intrusion occurred. All of these have the same result: there was no detection of 
an intrusion by the LLNIDS. 

Each of the three network intrusion detection types is necessary to describe all of the types of intrusion detection. 
A positive detection of an intrusion is different than just a symptom of an intrusion because a positive detection can be 
immediately acted upon while a symptom indicates that further analysis is needed. Both of these are different than intrusions 
that are missed by network intrusion detection. To show that these types are mutually exclusive and complete for a given 
time period, consider an LLNIDS looking at network packets for a given time period, say a 24-hour day. 

For all packets that the LLNIDS determines positively indicates an intrusion the LLNIDS has accomplished Type 

1 intrusion detection. Of the remaining packets, for each packet that the LLNIDS determines is a symptom of an intrusion 
the LLNIDS has accomplished Type 2 intrusion detection. The remaining packets represent Type 3 intrusion detection. 
These three types of network intrusion detection are complete in this context because they cover all possibilities of intrusion 
detection. In common language, Type 1 is a certainty, Type 2 is a symptom, and Type 3 is an unknown. 

Those were types of intrusion detection. Next are types of methods and alerts. LLNID methods can be defined in 
terms of the three intrusion types: 

• Type 1 NID Method/ Alert: A method that detects a Type 1 Intrusion and an alert that indicates a Type 1 
Intrusion. 

• Type 2 NID Method/Alert: A method that detects a symptom of a Type 2 Intrusion and an alert that indicates a 
symptom (only) of a Type 2 Intrusion. 

• Type 3 NID Method/ Alert: A method that does not exist, thus there is no alert. 

These types of methods and alerts are necessary to differentiate that some methods are positively correct, other 
methods only indicate symptoms of intrusions, and some methods do not exist. They are mutually exclusive because a local 
method either positively indicates an intrusion (Type 1), it only detects a symptom of an intrusion (Type 2), or it does not 
exist (Type 3). They are complete because there are no other types of methods in this context. 

Those were types of methods and alerts. Next are types of false positives. The term false positive generally has 
meant that an intrusion detection system has sent a false alarm. False positives are generally undesirable because the false 
positive rate of intrusion detection systems can be high and can use up a lot of seemingly unnecessary, and limited, 
resources. However, with these new types, the concept of a false positive is different for different intrusion detection types in 
the LLNIDS context. 

• Type 1 False Positive: A Type 1 Method produces an alarm in the absence of an intrusion. 

• Type 2 False Positive: A Type 2 method produces an alarm in the absence of an intrusion. 

• Type 3 False Positive: Does not exist because no alarm is produced. 

A Type 1 False Positive indicates a problem with the Type 1 method which should be corrected. Type 2 False 
Positives are expected because Type 2 Methods do not positively detect intrusions, they only detect symptoms of intrusions. 
There is no Type 3 False Positive because no detections and alerts are produced for Type 3 Intrusion Detections. These types 
of false positive are necessary because they each indicate separate network intrusion detection issues. Type 1 is a network 
intrusion detection problem which needs to be corrected and Type 2 is expected. The two types of false positive are mutually 
exclusive and complete because only Type 1 Networklntrusion Detection can produce a Type 1 False Positive and only Type 

2 Network Intrusion Detection can produce a Type 2 False Positive. No other types of false positives in this context are 
possible. Since Type 1 and Type 2 of local network intrusion detection methods are mutually exclusive, these are also 
mutually exclusive. 

Figure 3 is a Venn diagram which illustrates types of intrusion detection in the LLNIDS context. The horizontal 
line separates intrusions at the top from non-intrusions at the bottom. A Type 1 detection is in the upper left of the circle if it 
is actually an intrusion or it is in the lower left of the circle if it is a false positive. A Type 2 detection is in the upper right of 
the circle if it is actually an intrusion or it is in the lower right of the circle if it is a false positive. Everything outside of the 
circle is Type 3 detection whether it is an intrusion or not. 

This typing system allows illustration that empirically most intrusion detection is not Type 1 (positive detections), 
but Type 2 (symptoms of detections), and Type 3 (missed detections). This differentiation is essential in proceeding in a 
scientific way for improved intrusion detection. Previously labeled types of intrusion detection do not fit neatly into these 
three new types. Misuse detection, for example, in some cases could indicate a definite intrusion and would then be Type 1, 
or it could indicate only symptoms of intrusions in other cases and would then be Type 2. The comparison of false positives 
of different methods of Misuse Detection is an invalid technique unless Type methods are compared only with Type 1 
methods and Type 2 methods are compared only with Type 2 methods. Anomaly detection, for example, would tend to be 
Type 2, but some anomalies could clearly indicate intrusions and would be Type 1 . Type 1 and Type 2 methods of Anomaly 
Detection should be separated before making any comparisons. Likewise with intrusion detection labels based on activity, 
appearance, authentication analysis, behavior, knowledge, models, profiles, rules, signature, static analysis, statistics, and 
thresholds. These are still useful as descriptive terms, but they are not as useful in analyzing methods of determining whether 
or not an intrusion has occurred because they allow the comparisons of apples and oranges in numerous ways. The labels 
Type 1 and Type 2 give us more analytical information: either an intrusion has occurred or else only a symptom of an 
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intrusion has occurred. Type 3 intrusions tell us that we should find out why an intrusion was not detected in the network 
traffic so that we can create new rules to find more intrusions in the future. Previously labeled types of intrusion detection do 
not give us as much analytical information as do types 1, 2, and 3. 

Using this system, one can clearly state objectives of LLNID research in a new way which was previously only 
implied. The significance of given time period is apparent in the descriptive of these objectives because the objectives are 
stated in terms of progress from one time period to another time period. Here are specifics for LLNID research: 

• Type 3 NID Research: Find ways of detecting intrusions that are currently not being detected, moving them up to 
type 2 or 1 intrusion detection. 

• Type 2 NID Research: Improve Type 2 Intrusion Detection with the goal of moving it up to Type 1 Intrusion 
Detection. 

• Type 1 NID Research: Improve Type 1 Intrusion Detection so that it is faster, uses fewer resources, and has fewer 
false positives. 

Each of these types of research are necessary because finding new methods of intrusion detection is different than 
improving symptom detection which is different than making Type 1 Intrusion Detection more efficient. They are also 
complete because there are no other types of intrusion detection research in this context. 
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Figure 3. Types of Intrusion Detection for LLNID 



Table 1 summarizes the types discussed in this section. These are some ways of how researchers can use these 
types: research that compares false positive rates of Type 1 methods with false positive rates of Type 2 methods is not valid 
because Type 1 methods are not supposed to have false positives whereas Type 2 methods are expected to have false 
positives. Discounting Type 3 intrusion detection because of the amount of time taken may be irrelevant if otherwise the 
intrusion would not be found, at all. Proposing that intrusion prevention will replace intrusion detection is a false claim so 
long as types2 and 3 intrusions continue to exist. Rather than disregarding Type 2 methods, research should attempt to fuse 
the results of Type 2 methods in order to move them up to Type 1 . 
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TABLE I 
Summary of LLNID Types 
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III. TOOLS OF NIDS 

In order to ensure an invulnerable security of data, various tools are available. They are mainly used altogether in 
order to secure the system as a whole. There is no perfectly complete system. The optimum security is achieved as a esult of 
the combination of several systems. Moreover, most of these solutions are developed by the leading companies of securities. 
These solutions are complete and can be easily put in work in a network, which is also true for the updates. The modular 
format used by these allows them to have several agents for a centralized interface. However, these solutions are particularly 
very expensive. 

The table below shows a study of the most used solutions of detection and prevention in the domains of commerce 
and open sources. 
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IV. CONCLUSION 

This paper provided a new way of looking at network intrusion detection research including intrusion detection 
types that are necessary, complete, and mutually exclusive to aid in the fair comparison of intrusion detection methods and to 
aid in focusing research in this area. We are working on the implementation of a screening tool of attack and the 
characterization of test data. We also focus on the collection of exploits and attacks to classify and identify. Further work is 
under way and many ways remain to be explored. Then it would be interesting to conduct assessments of existing IDS 
following the approaches we have proposed and tools developed in this work. 
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